Antonio_Macia_R
Aug 02, 2016Nimbostratus
DoS Profile - URL Detection criteria question
Hello,
My question is related to the way the F5 detects a DoS when we use the URL detection criteria under the TPS-based anomaly. When calculating the TPS, does it have into account the source IP or it just adds the total of requests for the same URL? From my understanding, if the engine sums all the requests for a URL and the thresholds are reached, then it will start blocking not only the attacker but also legitimate traffic, is this the expected behaviour?
On the other hand, how does the DoS engine detect that an attack has finished?
Thanks.